The following exploit can grant complete control of an organisation’s Windows network in less than 20 minutes. As usual, the exploit works thanks to a combination of ignorance and sloppiness (or lack of investment). Plug in a Windows laptop anywhere on the organisation’s network - this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a dial-up connection. Browse the network using Windows Explorer and you'll get to see all the Windows machines on the network - there's no need to logon or join a domain for this to happen. Select a server (they're usually named in a obvious fashion) and attempt a "null session" connection - null sessions is a standard feature of NT & Windows 2000 which enable you to list users, groups, group memberships, etc. without any form of authentication whatsoever. And, yes, there's plenty of software on the Internet which will help you to establish a null session and then interrogate this information - my personal favourite is Hyena, a tool designed for managing Windows networks. Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned (Service accounts are administrator-level accounts used to enable applications to log on to servers and domains - applications such as Backupexec, Arcserve and Tivoli are obvious examples). Select each of these service accounts in turn and try to guess its password - it's not as hard as you might think. Frequently, network administrators will select something obvious, such as a password the same as the account name! Beware that you don't exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up. If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least fifty percent of the time you'll gain Domain Admin access, allowing you create your own administrator account, join the domain legitimately and help yourself to any information on any server.
Now this is not rocket science. In fact it's something any teenage student could accomplish with the minimum of research. So why is it still possible to conduct this exploit at the majority of sites I visit? The answer has to be a combination of ignorance and disinterest. When I studied the official Microsoft NT courses, security issues were barely mentioned, so many MCSEs will remain ignorant of things like null sessions or even what constitutes a secure password. Few organisations have invested in a staff member with a remit to monitor new exploits and produce security build standards, review existing installations and plug the holes. Then most managers continue to believe that a firewall is a panacea, either ignorant or disbelieving of the fact that the majority of hacks come from within the organisation. Senior management still fail to realise that anyone with Domain Admins privilege can read, alter and delete any document anywhere on their network - be it on a server, a workstation or even a laptop, and that there are often dozens of accounts with that privilege.
The apathy towards password security is frightening. The push from the top for more results using the same or fewer people and resources makes it unrealistic for security to feature in any meaningful way. We seem to be becoming more aware of security in general terms, but unwilling to make the investment in personnel, training and good solid procedures.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.